https://github.com/osquery/osquery logo
Join Slack
Powered by
hey all, I have a handful of hosts that are instal...
# fleet
a
hey all, I have a handful of hosts that are installing and starting the osqueryd process fine, but not showing up in Fleet. I connected to one and check the osquery flags file, and confirmed that the Fleet enroll endpoint and secret are correct. I’ve restarted the osqueryd process with 
osqueryctl restart
. any tips for further troubleshooting?
(on macOS)
not seeing anything in 
/private/var/log/osquery
our macOS laptops don’t have 
fleetctl
installed… would that be helpful?
r
@aldente Have you following any articles, like this one?
@aldente Yes! 🙂
a
I see, but most of our hosts enroll fine with just 
osqueryctl
🤔 I can look into 
fleetctl
but would rather not reconfigure the enrollment system if I don’t have to at this moment
update: i tested out fleetctl and got it working on these hosts (except 2 intel chip macs… more to dig into there)
is there any guidance for cutting over from a plain osquery deployment to a fleet/orbit deployment? I imagine I should kill the osqueryctl process, delete all the old config, and then push the new fleet pkg to them?
r
@aldente I'm sorry for the delay. You do not need 
fleetctl
for enrollment - you can get away with 
osqueryctl
and be fine. Let's see if we can diagnose what went wrong with the other hosts. You used the same 
enroll_secret
and Fleet installation package on every host?
a
no worries, and that’s correct! tbh it’s been on my list to migrate over to fleetctl/orbit so I don’t have to manually upgrade clients so I’m glad I got the opportunity to test it today
but our current deployment is done via JAMF. we install a pkg with all of the osquery config, and then run 
osqueryctl start
r
Well, whatever workflow you're aiming to use, we try to suit it best! If you still have hosts that are not enrolling, but have a successful installation of the Fleet pkg, you can look at the fleetd logs on one of the affected hosts and try to find some relevant errors.
a
thank you! the pkg is failing to install on a few hosts, but i’m thinking it’s probably more related to the pkg checksum or something because they are x86_64 macs
looking at the stderr.log for one host, any idea why a successfully enrolled host would have ongoing errors like this?
Copy code
2025-03-06T17:29:27-05:00 INF enroll failed, retrying error="enroll request: POST /api/fleet/orbit/enroll received status 400 unknown"
I can run a distributed query and scheduled queries are executing as well
also
Copy code
2025-03-06T14:54:12-05:00 ERR failed initial config fetch: RunConfigReceivers get config: orbit node key enroll failed, attempts=6
2025-03-06T14:54:12-05:00 INF token rotation is enabled
r
@aldente Can you send over the full fleetd logs for that successfully enrolled host on which you're seeing these errors? In terms of the devices that are not successfully installing the Fleet pkg, can you send over the file located at 
/var/log/install.log
 for one of the affected hosts?
a
sure will DM you the logs, thanks 🙂
2 Views
Open in Slack
PreviousNext
Powered by